Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1315

Support autosigning with a ca certificate bundle file


    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.1.0
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Platform Core
    • Sub-team:
    • Story Points:
    • Sprint:
      Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
    • Release Notes:
      Bug Fix
    • QA Risk Assessment:


      Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.

      While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:

      Error: Could not request certificate: Error 500 on SERVER: Internal Server Error: 
      java.lang.IllegalArgumentException: The PEM stream must contain exactly 1 certificate

      I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.


          Issue Links




                • Assignee:
                  qa qa
                  eric.sorenson Eric Sorenson
                • Votes:
                  2 Vote for this issue
                  7 Start watching this issue


                  • Created:

                    Zendesk Support